openapi: 3.1.0 info: title: Palo Alto Networks AIOps for NGFW BPA API description: >- AIOps for NGFW Best Practice Assessment (BPA) API. Provides programmatic access to submit BPA requests for Palo Alto Networks next-generation firewalls, check request processing status, and retrieve completed assessment reports. BPA reports analyze firewall configurations against Palo Alto Networks best practices and security benchmarks, identifying gaps and providing remediation guidance to improve security posture. Part of the Strata Cloud Manager platform. version: '1.0' contact: name: Palo Alto Networks Developer Support url: https://pan.dev/ license: name: Proprietary url: https://www.paloaltonetworks.com/legal servers: - url: https://api.stratacloud.paloaltonetworks.com/aiops/bpa/v1 description: AIOps for NGFW BPA API production server. security: - oauth2Bearer: [] tags: - name: BPA Reports description: Completed assessment report retrieval. - name: BPA Requests description: Best Practice Assessment request submission and status tracking. paths: /requests: post: operationId: submitBPARequest summary: Palo Alto Networks Submit BPA Request description: >- Submits a Best Practice Assessment request for a specific NGFW device. The request requires the device serial number, PAN-OS version, and optional device information. The assessment runs asynchronously; use the returned request ID to check status and retrieve the report when complete. tags: - BPA Requests requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/BPARequest' examples: SubmitBparequestRequestExample: summary: Default submitBPARequest request x-microcks-default: true value: serial_number: 4B89BF130877 version: 9.6.8 device_info: &id001 hostname: host-f367 model: VM-300 deployment_type: vm responses: '201': description: BPA request submitted successfully. content: application/json: schema: $ref: '#/components/schemas/BPARequestStatus' examples: SubmitBparequest201Example: summary: Default submitBPARequest 201 response x-microcks-default: true value: request_id: f629a7fb-33c3-4361-a3f4-c438e2f4f747 serial_number: 94C0577F8429 status: processing report_id: '336271' error_message: example-error_message submitted_at: '2025-11-24T06:05:16Z' completed_at: '2024-08-27T07:28:12Z' '400': description: Invalid request body or unsupported PAN-OS version. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: SubmitBparequest400Example: summary: Default submitBPARequest 400 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '401': description: Invalid or missing Bearer token. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: SubmitBparequest401Example: summary: Default submitBPARequest 401 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '403': description: Insufficient permissions or device not registered to this tenant. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: SubmitBparequest403Example: summary: Default submitBPARequest 403 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '409': description: A BPA request is already in progress for this device. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: SubmitBparequest409Example: summary: Default submitBPARequest 409 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: SubmitBparequest500Example: summary: Default submitBPARequest 500 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f x-microcks-operation: delay: 0 dispatcher: FALLBACK /requests/{request_id}: get: operationId: getBPARequestStatus summary: Palo Alto Networks Check BPA Request Status description: >- Returns the current processing status of a submitted BPA request. When the status is completed, the response includes the report ID which can be used to retrieve the full assessment report. Request records are retained for 30 days after completion. tags: - BPA Requests parameters: - name: request_id in: path required: true description: Unique identifier of the BPA request. schema: type: string example: bd9572c6-1b76-43a0-aa1c-3157a63cc89d responses: '200': description: BPA request status returned. content: application/json: schema: $ref: '#/components/schemas/BPARequestStatus' examples: GetBparequestStatus200Example: summary: Default getBPARequestStatus 200 response x-microcks-default: true value: request_id: f629a7fb-33c3-4361-a3f4-c438e2f4f747 serial_number: 94C0577F8429 status: processing report_id: '336271' error_message: example-error_message submitted_at: '2025-11-24T06:05:16Z' completed_at: '2024-08-27T07:28:12Z' '401': description: Invalid or missing Bearer token. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBparequestStatus401Example: summary: Default getBPARequestStatus 401 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '403': description: Insufficient permissions. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBparequestStatus403Example: summary: Default getBPARequestStatus 403 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '404': description: BPA request not found or expired. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBparequestStatus404Example: summary: Default getBPARequestStatus 404 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBparequestStatus500Example: summary: Default getBPARequestStatus 500 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f x-microcks-operation: delay: 0 dispatcher: FALLBACK /reports/{report_id}: get: operationId: getBPAReport summary: Palo Alto Networks Get BPA Report description: >- Returns the completed Best Practice Assessment report for a device. The report includes an overall score, category-level scores, pass and fail summaries, and a prioritized list of recommendations for improving the device's security posture against PAN-OS best practices. tags: - BPA Reports parameters: - name: report_id in: path required: true description: Unique identifier of the BPA report. schema: type: string example: '966889' responses: '200': description: BPA report returned. content: application/json: schema: $ref: '#/components/schemas/BPAReport' examples: GetBpareport200Example: summary: Default getBPAReport 200 response x-microcks-default: true value: report_id: '250039' request_id: 9512acfa-8bcf-4c16-b52c-b00b20d8bf8d serial_number: D44EF27DA5D9 pan_os_version: 10.6.9 overall_score: 52.32 category_scores: &id002 - category: standard score: 90.68 passed: 768 failed: 933 not_applicable: 433 total_checks: 185 passed_checks: 690 failed_checks: 850 generated_at: '2024-04-04T12:31:31Z' '401': description: Invalid or missing Bearer token. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBpareport401Example: summary: Default getBPAReport 401 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '403': description: Insufficient permissions. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBpareport403Example: summary: Default getBPAReport 403 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '404': description: Report not found. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBpareport404Example: summary: Default getBPAReport 404 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBpareport500Example: summary: Default getBPAReport 500 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f x-microcks-operation: delay: 0 dispatcher: FALLBACK /reports/{report_id}/checks: get: operationId: getBPAReportChecks summary: Palo Alto Networks Get BPA Report Check Details description: >- Returns the individual check results from a BPA report. Each check corresponds to a specific best practice recommendation and includes its pass/fail status, current configuration state, and remediation guidance. Supports filtering by category and status. tags: - BPA Reports parameters: - name: report_id in: path required: true description: Unique identifier of the BPA report. schema: type: string example: '101187' - name: category in: query description: Filter checks by best practice category. schema: type: string enum: - device_management - security_policies - nat_policies - decryption - threat_prevention - url_filtering - wildfire - dns_security - globalprotect example: globalprotect - name: status in: query description: Filter checks by result status. schema: type: string enum: - pass - fail - not_applicable example: pass - name: offset in: query description: Number of results to skip for pagination. schema: type: integer default: 0 example: 0 - name: limit in: query description: Maximum number of checks to return. schema: type: integer default: 50 maximum: 200 example: 50 responses: '200': description: BPA report checks returned. content: application/json: schema: type: object properties: total: type: integer offset: type: integer limit: type: integer items: type: array items: $ref: '#/components/schemas/BPACheck' examples: GetBpareportChecks200Example: summary: Default getBPAReportChecks 200 response x-microcks-default: true value: total: 596 offset: 841 limit: 279 items: - check_id: '147583' category: standard name: Branch Firewall 76 description: Malware investigation on policy blocked endpoint rule threat. status: not_applicable severity: high current_value: example-current_value recommended_value: example-recommended_value remediation: example-remediation references: &id003 - https://vpn.example.com/858ba3 - https://login.acme-systems.org/a6c881 '400': description: Invalid query parameters. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBpareportChecks400Example: summary: Default getBPAReportChecks 400 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '401': description: Invalid or missing Bearer token. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBpareportChecks401Example: summary: Default getBPAReportChecks 401 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '403': description: Insufficient permissions. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBpareportChecks403Example: summary: Default getBPAReportChecks 403 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '404': description: Report not found. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBpareportChecks404Example: summary: Default getBPAReportChecks 404 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' examples: GetBpareportChecks500Example: summary: Default getBPAReportChecks 500 response x-microcks-default: true value: error: example-error message: Violation alert configured endpoint policy policy policy. request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f x-microcks-operation: delay: 0 dispatcher: FALLBACK components: securitySchemes: oauth2Bearer: type: http scheme: bearer bearerFormat: JWT description: >- OAuth 2.0 Bearer token for SASE platform authentication. Obtain using the client_credentials grant with your SASE service account client ID and client secret. schemas: BPARequest: type: object required: - serial_number - version properties: serial_number: type: string description: Device serial number of the NGFW to assess. example: 4B89BF130877 version: type: string description: PAN-OS software version running on the device (e.g., 11.1.2). pattern: '^\d+\.\d+(\.\d+)?(-h\d+)?$' example: 9.6.8 device_info: type: object description: Optional supplementary device information. properties: hostname: type: string description: Device hostname. example: host-d228 model: type: string description: Device model (e.g., PA-5450, PA-440). example: VM-300 deployment_type: type: string enum: - physical - vm - container description: Device deployment type. example: vm example: *id001 BPARequestStatus: type: object properties: request_id: type: string description: Unique identifier of the BPA request. example: f629a7fb-33c3-4361-a3f4-c438e2f4f747 serial_number: type: string description: Device serial number for which the assessment was submitted. example: 94C0577F8429 status: type: string enum: - pending - processing - completed - failed description: Current processing status of the request. example: processing report_id: type: string description: >- Report identifier available when status is completed. Use with GET /reports/{report_id} to retrieve the full report. example: '336271' error_message: type: string description: Error description when status is failed. example: example-error_message submitted_at: type: string format: date-time description: Timestamp when the request was submitted. example: '2025-11-24T06:05:16Z' completed_at: type: string format: date-time description: Timestamp when processing completed. example: '2024-08-27T07:28:12Z' BPAReport: type: object properties: report_id: type: string description: Unique identifier of the report. example: '250039' request_id: type: string description: ID of the BPA request that generated this report. example: 9512acfa-8bcf-4c16-b52c-b00b20d8bf8d serial_number: type: string description: Device serial number assessed. example: D44EF27DA5D9 pan_os_version: type: string description: PAN-OS version assessed. example: 10.6.9 overall_score: type: number format: float description: Overall best practice compliance score from 0.0 to 100.0. minimum: 0.0 maximum: 100.0 example: 52.32 category_scores: type: array description: Compliance scores broken down by best practice category. items: type: object properties: category: type: string description: Best practice category name. example: standard score: type: number format: float description: Category compliance score (0.0 to 100.0). example: 15.77 passed: type: integer description: Number of checks that passed in this category. example: 249 failed: type: integer description: Number of checks that failed in this category. example: 83 not_applicable: type: integer description: Number of checks not applicable to this device. example: 429 example: *id002 total_checks: type: integer description: Total number of checks evaluated. example: 185 passed_checks: type: integer description: Number of checks that passed. example: 690 failed_checks: type: integer description: Number of checks that failed. example: 850 generated_at: type: string format: date-time description: Timestamp when the report was generated. example: '2024-04-04T12:31:31Z' BPACheck: type: object properties: check_id: type: string description: Unique identifier of the check. example: '147583' category: type: string description: Best practice category this check belongs to. example: standard name: type: string description: Name of the best practice check. example: Branch Firewall 76 description: type: string description: Description of what this check evaluates. example: Malware investigation on policy blocked endpoint rule threat. status: type: string enum: - pass - fail - not_applicable description: Result status of this check. example: not_applicable severity: type: string enum: - informational - low - medium - high - critical description: Severity if this check fails. example: high current_value: type: string description: Current configuration value found on the device. example: example-current_value recommended_value: type: string description: Recommended configuration value per best practices. example: example-recommended_value remediation: type: string description: Step-by-step remediation guidance for failed checks. example: example-remediation references: type: array items: type: string format: uri description: Reference URLs with additional guidance. example: *id003 ErrorResponse: type: object properties: error: type: string description: Error code identifying the error type. example: example-error message: type: string description: Human-readable description of the error. example: Violation alert configured endpoint policy policy policy. request_id: type: string description: Request identifier for support correlation. example: e0526af9-36bf-48c4-80c9-db1fb17c933f